Malware Analysis Report

2025-06-16 03:45

Sample ID 220908-168qtsdagk
Target cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a
SHA256 cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a
Tags
eternity
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a

Threat Level: Known bad

The file cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a was found to be: Known bad.

Malicious Activity Summary

eternity

Eternity

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-09-08 22:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-08 22:16

Reported

2022-09-08 22:21

Platform

win7-20220812-en

Max time kernel

75s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe"

Signatures

Eternity

eternity

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 864 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 864 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 864 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 864 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 864 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 864 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 864 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 864 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 864 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 864 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 864 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe

"C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
RU 178.20.44.214:80 178.20.44.214 tcp

Files

memory/864-54-0x0000000000860000-0x0000000000A98000-memory.dmp

memory/864-55-0x0000000076321000-0x0000000076323000-memory.dmp

memory/864-56-0x00000000007D0000-0x0000000000804000-memory.dmp

memory/864-57-0x00000000020D0000-0x00000000020E8000-memory.dmp

memory/864-58-0x00000000021C0000-0x00000000021DA000-memory.dmp

memory/864-59-0x00000000004B0000-0x00000000004B6000-memory.dmp

memory/1724-60-0x0000000000400000-0x0000000000552000-memory.dmp

memory/1724-61-0x0000000000400000-0x0000000000552000-memory.dmp

memory/1724-63-0x0000000000400000-0x0000000000552000-memory.dmp

memory/1724-64-0x0000000000400000-0x0000000000552000-memory.dmp

memory/1724-65-0x0000000000400000-0x0000000000552000-memory.dmp

memory/1724-66-0x000000000054C1BE-mapping.dmp

memory/1724-68-0x0000000000400000-0x0000000000552000-memory.dmp

memory/1724-70-0x0000000000400000-0x0000000000552000-memory.dmp

memory/1724-72-0x00000000055B0000-0x00000000056FA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-08 22:16

Reported

2022-09-08 22:22

Platform

win10-20220812-en

Max time kernel

150s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe"

Signatures

Eternity

eternity

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3828 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3828 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe

"C:\Users\Admin\AppData\Local\Temp\cdef9022412b98764813da2d8310179897caa8f9de07d3f1bad762b60a95802a.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 13.89.179.10:443 tcp
RU 178.20.44.214:80 178.20.44.214 tcp

Files

memory/3828-116-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-117-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-118-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-119-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-120-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-121-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-123-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-122-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-124-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-125-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-126-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-127-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-128-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-129-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-130-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-131-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-132-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-133-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-134-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-135-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-137-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-138-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-139-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-136-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-140-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-141-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-143-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-144-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-145-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-142-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-146-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-147-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-148-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-149-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-150-0x0000000000AC0000-0x0000000000CF8000-memory.dmp

memory/3828-152-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-153-0x00000000053D0000-0x000000000546C000-memory.dmp

memory/3828-154-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-151-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-155-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-156-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-158-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-157-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-159-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-160-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-163-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-162-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-165-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-164-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-166-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-161-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-167-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-168-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-170-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-171-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-169-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-172-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-173-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-174-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-177-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-176-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-178-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-181-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-180-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-179-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-175-0x00000000778F0000-0x0000000077A7E000-memory.dmp

memory/3828-196-0x00000000055C0000-0x00000000055F4000-memory.dmp

memory/3828-197-0x0000000006440000-0x000000000693E000-memory.dmp

memory/3828-198-0x0000000006130000-0x00000000061C2000-memory.dmp

memory/3828-201-0x0000000006120000-0x000000000612A000-memory.dmp

memory/3828-205-0x0000000008520000-0x0000000008538000-memory.dmp

memory/3828-208-0x0000000008F00000-0x0000000008F1A000-memory.dmp

memory/3828-209-0x0000000002E20000-0x0000000002E26000-memory.dmp

memory/4196-211-0x000000000054C1BE-mapping.dmp

memory/4196-243-0x0000000000400000-0x0000000000552000-memory.dmp

memory/4196-274-0x00000000060E0000-0x0000000006130000-memory.dmp

memory/4196-280-0x0000000006230000-0x000000000637A000-memory.dmp